Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 05:41
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Shipping Documents.xlsx
Resource
win10v20201028
General
-
Target
Shipping Documents.xlsx
-
Size
2.2MB
-
MD5
ab599dc3956c9e72ad6187bca6d7d783
-
SHA1
c06939ab8436da2f3c37d0cece53837960943d19
-
SHA256
ce11e96fe93545cd9d381c440d7e172eebfe7c0e177c6485216313b144c415a3
-
SHA512
a28926991314329da86c8e76caeb0793c1f495733fdd5d61347eba55e0e65cdea3a9a02c23d0f912c86429228ab0eef9e010f8cd64dfbccacd5bc7f234d86cb2
Malware Config
Extracted
xloader
2.3
http://www.autotrafficbot.com/evpn/
memoriesmade-l.com
babypowah.com
usinggroovefunnels.com
qapjv.com
kp031.com
kinfet.com
markmalls.com
keithforemandesigns.com
fydia.com
jesussaysalllivesmatter.com
sarachavesportela.com
standerup.com
monthlywifi.com
productsoffholland.com
newbieadvice.com
globalnetworkautomation.com
theholisticbirthco.com
physicalrobot.com
thesouthernhomesellers.com
teamcounteract.com
icomplementi.com
jsmsheetmetal.com
jcernadas.com
del-tekzen.com
alekseeva-center.info
arunkapur.com
gregismyrealestateagent.com
soalfintech.com
notrecondourbania.com
alum2alum.network
gototaku.com
moneymakeideas.com
dbdcontractlngllc.com
tor-one.com
walgreenlitigation.com
votestephaniezarb.com
washathome.club
zhuledao.com
sonyjewls.com
oncologyacademe.com
kuppers.info
cgpizza.net
glgshopbd.com
dodson4tulare.com
mishtifarmers.com
a1-2c.com
oligan-gs.com
countrysidehomeinvestors.com
bpro.swiss
fodiyo.com
playelementsgame.com
melhorquesantander.com
jamessicilia.com
abundancewithmelissaharvey.com
vatandoost.com
curiosityisthecurebook.com
o8y8.com
de-knutselkeet.com
advisorsonecall.com
homerangeopen.com
brusselsdesignproject.com
0449888.com
psychicsjaneholden.com
b-sphere.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/868-19-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/756-25-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 316 EQNEDT32.EXE 8 316 EQNEDT32.EXE 10 316 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 848 vbc.exe 868 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 316 EQNEDT32.EXE 316 EQNEDT32.EXE 316 EQNEDT32.EXE 848 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeipconfig.exedescription pid process target process PID 848 set thread context of 868 848 vbc.exe vbc.exe PID 868 set thread context of 1268 868 vbc.exe Explorer.EXE PID 756 set thread context of 1268 756 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_1 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 756 ipconfig.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exeipconfig.exepid process 868 vbc.exe 868 vbc.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe 756 ipconfig.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exevbc.exeipconfig.exepid process 848 vbc.exe 868 vbc.exe 868 vbc.exe 868 vbc.exe 756 ipconfig.exe 756 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeExplorer.EXEipconfig.exedescription pid process Token: SeDebugPrivilege 868 vbc.exe Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeShutdownPrivilege 1268 Explorer.EXE Token: SeDebugPrivilege 756 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1740 EXCEL.EXE 1740 EXCEL.EXE 1740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEipconfig.exedescription pid process target process PID 316 wrote to memory of 848 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 848 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 848 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 848 316 EQNEDT32.EXE vbc.exe PID 848 wrote to memory of 868 848 vbc.exe vbc.exe PID 848 wrote to memory of 868 848 vbc.exe vbc.exe PID 848 wrote to memory of 868 848 vbc.exe vbc.exe PID 848 wrote to memory of 868 848 vbc.exe vbc.exe PID 848 wrote to memory of 868 848 vbc.exe vbc.exe PID 1268 wrote to memory of 756 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 756 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 756 1268 Explorer.EXE ipconfig.exe PID 1268 wrote to memory of 756 1268 Explorer.EXE ipconfig.exe PID 756 wrote to memory of 1620 756 ipconfig.exe cmd.exe PID 756 wrote to memory of 1620 756 ipconfig.exe cmd.exe PID 756 wrote to memory of 1620 756 ipconfig.exe cmd.exe PID 756 wrote to memory of 1620 756 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
C:\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
C:\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
\Users\Admin\AppData\Local\Temp\nsi250F.tmp\i9y7dp4bi0ysdq.dllMD5
41f5d6cadd673464980f0835b0801d4d
SHA16753c31b14c5cfa9f3bcf8d05db35554be80ba68
SHA256491ab0be0c90490bdc145350f86ed973c715dc2f9236d0beb1a7e6ef8d04a4e8
SHA512d61d598894350c5497db9419678ca63705e64f3b4368da1675acd8e7ddf141b6c6d6ccc0ac821cf07f3464a2285df95617e4a7bc1a8390cb46567d360b645210
-
\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
\Users\Public\vbc.exeMD5
f818665dd48a93c48255d3ceadf92a6e
SHA12567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA2566bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
SHA512ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
-
memory/316-5-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/756-22-0x0000000000000000-mapping.dmp
-
memory/756-25-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/756-27-0x0000000000B00000-0x0000000000E03000-memory.dmpFilesize
3.0MB
-
memory/756-24-0x0000000000E50000-0x0000000000E5A000-memory.dmpFilesize
40KB
-
memory/756-28-0x00000000008C0000-0x000000000094F000-memory.dmpFilesize
572KB
-
memory/848-10-0x0000000000000000-mapping.dmp
-
memory/848-17-0x00000000008E0000-0x00000000008E2000-memory.dmpFilesize
8KB
-
memory/868-15-0x000000000041D0C0-mapping.dmp
-
memory/868-19-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/868-20-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/868-18-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/1268-21-0x0000000006030000-0x0000000006174000-memory.dmpFilesize
1.3MB
-
memory/1268-29-0x0000000006180000-0x00000000062FA000-memory.dmpFilesize
1.5MB
-
memory/1620-26-0x0000000000000000-mapping.dmp
-
memory/1740-2-0x000000002FC31000-0x000000002FC34000-memory.dmpFilesize
12KB
-
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-3-0x00000000715E1000-0x00000000715E3000-memory.dmpFilesize
8KB
-
memory/1748-6-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB